A German software engineer and encryption expert named Karsten Nohl told a group of hackers at the Chaos Communication Congress that he and a group of enlisted contributors had broken the primary encryption code protecting GSM phone calls.
According to The New York Times, spokespeople from the GSM Association shrugged off the news, saying that actually listening in on a call is still practically complex, even with the code book now available online.
However, other security experts disagree, saying the crack now puts mobile interception of the majority of non-3G cellphone calls within reach of “any reasonable well-funded criminal organization.” Simon Bransfield-Garth, CEO of London-based Cellcrypt, said the net effect of Nohl and the company’s work would likely “reduce the time to break a GSM call from weeks to hours.”
The current GSM encryption scheme is known as the A5/1 standard, based on a 64-bit encryption scheme. A newer specification based on more modern and tougher to crack 128-bit encryption called A5/3 has been available since 2007, but few network operators have undertaken the expense to upgrade their networks.
Nohl says the project was meant to point out the vulnerability of the current 64-bit system and “push operators to adopt better security measures for mobile phone calls.” He says his team took precautions to keep the effort within legal boundaries, and “are not recommending people use this information to break the law. What we are doing is trying to goad the world’s wireless operators to use better security.”
You probably don’t have to worry about sniffers on the other end of your next wireless call just yet, but it seems like 64-bit GSM encryption might not be long for this world. Do you think Nohl’s “white hat” efforts will have the desired effect? How do you think carriers should respond to the crack?
[Image credit: soylentgreen23]